broken validation of dependency installer signature
Bug #1632502 reported by
Jakub Wilk
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Pipelight |
Fix Committed
|
Critical
|
Unassigned | ||
Bug Description
This code is supposed to "ensure the signature is valid":
if ! /usr/bin/gpg --batch --no-default-
rm "$tmpfile"
rm "$decfile"
echo ""
echo "ERROR: Failed to verify signature of the dependency-
return 1
fi
"gpg --decrypt" does verify signature, but only if the file is actually signed.
If the file is not signed, gpg just happily decrypts it.
Proof-of-concept of a crafted dependency installer script that passes this signature check is attached.
Revision history for this message
| Jakub Wilk (jwilk) wrote | #1 |
| Changed in pipelight: | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
Revision history for this message
| Michael Müller (mqchael) wrote | #2 |
Revision history for this message
| Michael Müller (mqchael) wrote | #3 |
Revision history for this message
| Jakub Wilk (jwilk) wrote | #4 |
| information type: | Private Security → Public Security |
| Changed in pipelight: | |
| status: | Triaged → Fix Committed |
To post a comment you must log in.
I can reproduce the behavior. Seems like we only tested it with invalid signatures and didn't pay enough attention to the gpg documentation. The issue itself shouldn't be sufficient for a MiM attack though. The file is downloaded via HTTPS and unless the repository gets hacked, no one should be able to remove the signature. Nevertheless, we should try to fix the bug.
The only problem is that we didn't plan any further releases since Firefox wants to remove NPAPI support at the end of the year. We for example would need to setup our build servers for Debian again, otherwise some users wouldn't get the fix. There are some open questions that need to be answered before we can publish a new version, so I fear it might take a bit before a fixed version gets released.